Re: [lamps] struggling with CSRAttrs
David von Oheimb <David.von.Oheimb@siemens.com> Tue, 02 August 2022 10:45 UTC
Return-Path: <david.von.oheimb@siemens.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8E3AC1907B7 for <spasm@ietfa.amsl.com>; Tue, 2 Aug 2022 03:45:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.611
X-Spam-Level:
X-Spam-Status: No, score=-4.611 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, SCC_THREE_WORD_MONTY=2.497, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=siemens.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6iNsSJTlJlM2 for <spasm@ietfa.amsl.com>; Tue, 2 Aug 2022 03:45:20 -0700 (PDT)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50075.outbound.protection.outlook.com [40.107.5.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71540C14CF09 for <spasm@ietf.org>; Tue, 2 Aug 2022 03:45:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dx1IlQmsW4JG+vCZQMli50kttR9Os0RzW11gr0X8mIGM4rMKmd4qlj5IE3H7/rc5nkS01QIixbrUIbJS9y7mCaowhudb2DR9F2zyF/Ua8ZFq216FTJ7moNRpsXPgqlFrh0/FbXwl9BlT11rE/wf7BeV4bvwiMdafRmU/cdw+vz5tnO21GcUALpw14zEuOFs2V9lwj20St4W2u5re7r0PFNcm2ahR0TpSZMPJeukqV8mc0Xq3xE82GEBWAykSmk8HNP9IzVj1W0Ei4NjgRSBR+a29USUbJzbBTb3uZPG+Xc/UI38KgYHoMAh1vukSjhyiK3FxWfq+K2rfe6w2AnLnBA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=yUVT5GB/M+4+1RQHSsdFXSufQk+OsRPM1X+CZC5L034=; b=Dq2K7xmWh6h4WZ2qOLCj+XVj4Mc4VCYM9XMdDkhBY4IbTGAGi0YNOXdc85J3f6/rfELh+xXmU2V+X0+tMRf+lFRLjp8qKntGAM5H5T95F6HjYNPYJfCzsujX//g6u8QDhzr7jNlCNP7i/nsgPrlXQoyOct5kEMFC/zLp3gUzqG8cJqUyHkeVvsOunXaCx+v1g5o/LSTjc9ofWdW2mFgR4g6KpURJgCkK8jD1ZgfGWHEeOBBdSLkjt6zVmQ0K2OvIVbUYdaXY0AkyZaZC49WEh6MPco57fU/X3YE4Z2+t66pRZBfJkvuB7EaP6x9t5Z04XWD2n2j+dqxq2MN4cMgtqQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yUVT5GB/M+4+1RQHSsdFXSufQk+OsRPM1X+CZC5L034=; b=t0J0YZOSrGuCaTexSATBm/Sh6CxR11iPvbNk+t3v1cQffyoM0+MvbLsc0tTLSOtjbiVr2oH6sC3ugbcfZVmDVHVIa6DLbgzn5gEVIC1o0S3ceCipP9Qh4tpC2U0wMge9TnmeqP3Gyjg802rMETYGVyXPoiootJu3A7vu+oZGNyZX/mzu+4ro7QdpOZAF3RFHtotDb9fVM4QRwExazj9M4ygEP6xPhp+W6/E5b7/atgmHCPs50fzeusFU1jIcs+oEgI2ZMzoAHYx/S/mjASjcztbpCZsH0pNKZO+xK92LJXgO2JZzXa95FiWgHA5G0x0ruYboNVNB0lMJYcIFQXS3aw==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com;
Received: from DB9PR10MB5884.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:398::20) by PAXPR10MB4899.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:1dc::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5482.6; Tue, 2 Aug 2022 10:45:15 +0000
Received: from DB9PR10MB5884.EURPRD10.PROD.OUTLOOK.COM ([fe80::d812:1924:5b55:5f81]) by DB9PR10MB5884.EURPRD10.PROD.OUTLOOK.COM ([fe80::d812:1924:5b55:5f81%8]) with mapi id 15.20.5482.015; Tue, 2 Aug 2022 10:45:15 +0000
Content-Type: multipart/alternative; boundary="------------V6R7MAmgcJVOnMLfVlvSny9K"
Message-ID: <56a8af3a-63f2-5f19-62d9-59469ab678bf@siemens.com>
Date: Tue, 02 Aug 2022 12:45:04 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0
Content-Language: en-US
From: David von Oheimb <David.von.Oheimb@siemens.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: LAMPS WG <spasm@ietf.org>
References: <12352.1657505901@localhost> <ada963a796ca3fafb42a29751020ff4326fd2a1e.camel@von-Oheimb.de> <563732.1659120308@dooku> <36c409c2-ab92-4ec2-6f1e-235652a243d9@siemens.com>
In-Reply-To: <36c409c2-ab92-4ec2-6f1e-235652a243d9@siemens.com>
X-ClientProxiedBy: FR0P281CA0013.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:15::18) To DB9PR10MB5884.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:398::20)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 37568314-613d-445d-88f4-08da7474150e
X-MS-TrafficTypeDiagnostic: PAXPR10MB4899:EE_
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: nYxTezuMUh/a19b6qi1jYpA8FJjy3NxTcGKcuFPyCHcSWXvQOu4n+W+vvF7r1xr9IkhWqRmoZHCVApRaE4zS6ce5QtZxgGGS5KW0AGZXQFpvGKlySkVAmm+KtQSqi39eHhITywvNvEOO966AIjQzoyiW6+zLP3xZa89iQWguNCYs4qpXVH9vayZhCdbJlhg+el6iCGZ//jAEsryKuSwnSMIXUgaTFkL3MV0SDHAoJF4/yrOZ2MjCnvnY1fkkGTXYnkcz1hU1t/UnLE32KaSiXvbqObZl5GIw7P5hAn8IN+dIYQjkxJpAhHMowA6VZGC9lyTnKaM1ND0CK+iDeUFDrHvmdgWDRvrbzYmqd8zDaGmrWQyJrKTBkywKlIjGG73g6bjFh6mupZ2yqZJjkCbgBtU+vHxvvRzrsnnz4J9JG1eZ7FvrhWUH9+fDgW4ekQMTbwbRnG7dUfCagfwJ0u7kjYwv1PSuISTPFkrTWd+MVlcXkJ4RjNrEKFjTWuy3ldBstTQMhyeecAN7iCEO6s0z3kaireGuzKlt7UORlj3AyVFHQKKvM2KCrgrdv/cNcPS5DBBBLx8XG2Q8YxRp0hddMJ5DtgU8dKMlWre1Ty+9UylXjQVfhKyA/Dd1wAnryECln9TxVV5GEB/R8NSAzPF4kYvX5Zc0E40KJXW+JsfxPOUK+T8OzXJ3sV7K1uSOf4dc6nY3If/7tj0vebz504Dwc7fbNUwepnaCu1gnv/lLViwKFICW9JSJmRFq/NaUUkp9RStnVDqwRnuIpWxM/BfLfg4U9MnabCVufeBY18UeEXolpzoffcGhud4K3sHRHUPnULntigEOBqyqtiFpn0iL+UWnLL6IcCo03+hdqT5BrSTaMyruTIPl4z+lQzSbf0YDxTo/hrNuqg3iZWwXrNZbPg==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB9PR10MB5884.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230016)(4636009)(396003)(346002)(366004)(376002)(136003)(39860400002)(41300700001)(83380400001)(2616005)(31686004)(166002)(86362001)(2906002)(33964004)(6666004)(53546011)(6506007)(30864003)(6512007)(36756003)(26005)(38100700002)(6486002)(186003)(8676002)(66946007)(66556008)(66476007)(8936002)(478600001)(4326008)(5660300002)(31696002)(316002)(966005)(82960400001)(45980500001)(43740500002); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: KsIDV9wBhBHT+x+k7mLw5nlSL528zUHyZEhBNa6CaG7c/Gc5x6PlUtfq63MR5/UvrMNmy7qA6UMWGVp4M6iE+T7MDOldG1fy0wvgWJJWpmj36TYxqkdPMoMEXhi1cHH+K03zjzYoxg/CQyVvPiB0N1W17cIvc2Bz3aOuzvgSno9H0TwO4/qRbNLEpgBDMdwFp8Xd8blw7YBqZrFNfyP5Ci0screHbtaRD2nEzY0r/VvujIE/fC7aTLfykhK1n3yQfThH5XlZBlxXTgfjTVNSUANPfKMgYQEtl2hhzfmXLUekij0VRaXqPwFgLlUb+18bglWU9aAFeYjqPNVH0BB278ukr/VBWNIzYZW5zENcPAlGnu6lV/axYFZK/nDmxxwDVDDV2O6cy0WpdPRCC5k2nR6oQPo1QCJxlXbXavVL/VFPejCjz7HXWiqc/2udMt9NtxizSsRZeedITqJ/hG6dJoOUZfVJO0KMURxztcoKb6UdM+eKLXelzqzEPtG8MgXIfBSTQFkaPKZLCYl9hks24vCC5jcwEa50zL0hWXxcL4nyuD7qPhaZyfY8FS5VOkmRfuCd+aK3TjK1a/8q7jw/RZmgdr7dLpjnNF8dcKsAxzZFaz8oUujZyKUxYIzRU81ujR8sBgVSaqtF5Ssr+Tuy06JES2ODg33h+pUH1llPI5wAu6ANG+NEsyGQlV3ZMf7zTSS9957CWn/xQ12yHxrBIsxP1T+r+SwyZjZiYyAthwYyG2kb1rXOuXoNtJ+Epe0isarueCzfHF471RwHmkmk4JyfEZZ40A8+dmuGiBYiI9qYzO6yzODEShIKTlOArFaBswCC+3cD1x5F9oaTgTdOsqL4MYybOWEFV9O3r3xprnn3xqnH13OFCqQjKLiKsvl4SKAWP5ss1UVfJHPbTk7CflOA9l/0+vlvScNVKfc3ZJNYvaLM/LwRDEe/RfxTODIyLK1aqslA2IYoyRQ15ouzs85WAFBtdZct3ES0XufUGGvnb/qSqOtIcYTEMonBYqxs3OFw0lY9jo9OqFui7fWyPFR9fzL8d+6Utiq/+Alid8Qr4M5vj4icBjOZWuzzoi2kQbgf1uzuke8vQWiEtg+lTtRN8on46A0ZPmGkHP3bk2kd8JvzP6rH/OvVCxrPwQrRdfCq3eqKP2fbVhwE/7+yx9jas9DirzH4klWylvPDmLeI2WlCwzUvUP24n1nNjiZDuiNUmMrQC+5wiOaA487ck5YL30Cl0fbw+2kOQ8m2gzXIyNbQ8UHekOU1RSR7TknTIweFxGHKPp6d+yWw+HjG1iM8ul75s7TX2f0NJoMU01CVCc/pZK1BdsQZnxPGaAl6usTAuHgKw00VGXAbJRKwtXCWrBiK5Ft69DzNLgihuRdkApScVJOqBifA0zo+0gJ51HDlcUR46mdTZKlJhUluGORkY4scJVtbCrPfr2SnjLHp2FOMmEJsuLNFfOyIdao71fHJjxeBBNdqKUd4v6+YqqcK+U6BH7KgZPwZedICIDNN8u8io1d5aBDIEZwv8wbeuR70b+ovdvLXSEGkuXBdhSeypmpDVWkZwYHBREabyHaHGpw9wQo131NK8A3J8p7svdHq08xJIIAXzC2UulGxhIB29dxlflKSVCTvhcDj9gw=
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 37568314-613d-445d-88f4-08da7474150e
X-MS-Exchange-CrossTenant-AuthSource: DB9PR10MB5884.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Aug 2022 10:45:15.4815 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: cWzkP+FIyTWps3IR3eevtZ8zqRf8h/aITMjeyTwTIznX3uJeTVunBM++OMkk/sqUPHKZvhYKuYNLGQhx4UP6HGoKF6z7rExHupxjCr58WVo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXPR10MB4899
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/6oCcn6QedlnSbjvNZhFvJBjkeZ0>
Subject: Re: [lamps] struggling with CSRAttrs
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Aug 2022 10:45:24 -0000
Here are further things to clarify, which I happened to come across yesterday when tweaking the OpenSSL implementation <https://github.com/openssl/openssl/pull/18931> of X.509 extensions in PKCS#10 CSRs (and certs). It is common practice for PKCS#10 objects to contain just one X.509 extension attribute with a single set element, although this appears not explicitly required by RFC 2986 <https://www.rfc-editor.org/rfc/rfc2986> (at least I did not find this there), and the value of this attribute is a sequence of actual extensions: Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension defined in RFC 5280 section 4.1 <https://datatracker.ietf.org/doc/html/rfc5280#section-4.1>, which also makes clear that X.509 certs can bear only one such list: TBSCertificate ::= SEQUENCE { version [0] EXPLICIT Version DEFAULT v1, ... extensions [3] EXPLICIT Extensions OPTIONAL -- If present, version MUST be v3 } As mentioned on July 19 (see other email below), the CsrAttrs syntax gives quite some needless freedom how to represent multiple X.509 extensions (and potentially other types of attributes). I believe we should clarify that * There MUST be /at most one/ attribute describing X.509 extensions, i.e., one bearing the OID extensionRequest (1.2.840.113549.1.9.14) as its type. * The set in such an X.509 extension value MUST contain exactly one element. * The value of such an attribute MUST be of type Extensions, i.e., a sequence of Extension. In this light, I've just updated the example to reflect the type *SEQUENCE OF* Extension and extended it with two (non-critical) extensions to make it more general/educative: SEQUENCE { SEQUENCE { OBJECT IDENTIFIER extensionRequest (1 2 840 113549 1 9 14) SET { SEQUENCE { SEQUENCE { OBJECT IDENTIFIER basicConstraints (2 5 29 19) OCTET STRING, encapsulates { SEQUENCE {} } } SEQUENCE { OBJECT IDENTIFIER extKeyUsage (2 5 29 37) OCTET STRING, encapsulates { SEQUENCE { OBJECT IDENTIFIER serverAuth (1 3 6 1 5 5 7 3 1) } } } SEQUENCE { OBJECT IDENTIFIER subjectAltName (2 5 29 17) [0] { BOOLEAN TRUE } OCTET STRING, encapsulates { SEQUENCE { [2] 'domain.example' } } } } } } } Moreover, we might specify what an empty list of X.509 extensions means, such as to express that no X.509 extensions should/must be used in the CSR. David On 31.07.22 19:40, David von Oheimb wrote: > > Hi Michael et al. > > On 29.07.22 20:45, Michael Richardson wrote: >>>> Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE { >>>> extType ATTRIBUTE.&id({IOSet}), >>>> extAttr SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type}) >>>> } >>> Well, this definition is semantically identical to the original one. >>> So better not rename the two fields of the Attribute structure, i.e., we >>> should stick with 'type' and 'values', >>> in particular since there may be attributes that are not X.509 >>> extensions. >> I found it clearer, but if you object to this rename, then I'll go with your preference. > > Let's keep the original field names. > Also because this underlines the important fact that we do not change > the ASN.1 syntax at all, > which is critical for bits-on-the-wire compatibility, but we just > clarify its use and interpretation. > > I've just made a pass on lamps-rfc7030-csrattrs.mkd in the GitHub > repository. > Its new version contains various suggestions for improvements here and > there. > Also updated the subjectAltName example to be of the more usual form > of a dNSName > and inserted two questions/remarks: > > (TODO: Do we want to allow an empty extnValue (which is of type OCTET > STRING), which would mean that the client is told to include an X.509 > extension of the given type and fill in the concrete value itself?) > > (TODO: Note that this mechanism does not support telling the client > to include in the CSR a specific subject DN, simply because there is > no OID for this. I think we should better make this clear, or we > have to define such an OID if setting a subject name should be > supported.) > > I also corrected the spelling of my (co-author's) name in > presentations/ietf114-lamps-csrattrs.{fodp,pdf}. > > David > > On Tue, 2022-07-19 at 20:58 +0200, David von Oheimb wrote: > Hi Michael, Sean, et al., > > on Sun, 2022-07-10 at 22:18 -0400, Michael Richardson wrote: >> >> Sean, sorry to be asking this with less than 24h to ID cut-off. >> I didn't want to post an updated ID until I had example code that >> produced >> what I *thought* you are suggesting. Moving a SEQ/SET around isn't that >> hard... only now I've confused myself. >> >> We had: >> >> CsrAttrs ::= SEQUENCE SIZE (0..MAX) OF AttrOrOID >> >> AttrOrOID ::= CHOICE (oid OBJECT IDENTIFIER, >> attribute Attribute } >> >> Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE { >> extType ATTRIBUTE.&id({IOSet}), >> extAttr SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type}) >> } > > Well, this definition is semantically identical to the original one. > So better not rename the two fields of the Attribute structure, i.e., > we should stick with 'type' and 'values', > in particular since there may be attributes that are not X.509 extensions. > > According to > https://datatracker.ietf.org/doc/html/draft-richardson-lamps-rfc7030-csrattrs > the only thing that is "changed" is the clarification that the > attributes may contain entire X.509 extensions. > So BTW I believe we can and should claim that this is bit-on-the wire > compatible with RFC 7030. > > >> with the understanding that extAttr could be a SET of Extensions. > > Better also state that in this case the type/extType field MUST bear > the value extensionRequest (1.2.840.113549.1.9.14). > > >> Each Extension is given by: >> >> Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension > > The Extensions structure is only needed within certificates (where > there is just one extensions field). > All needed here is the Extension structure - there are already more > than enough of those sequences and sets around;-) > >> >> Extension ::= SEQUENCE { >> extnID OBJECT IDENTIFIER, >> critical BOOLEAN DEFAULT FALSE, >> extnValue OCTET STRING >> -- contains the DER encoding of an ASN.1 value >> -- corresponding to the extension type identified >> -- by extnID >> } >> >> >> 1) I'm not sure why I need a SET of a Sequence, unless your intent >> was that >> extAttr could be an *Extension* ?? I'm gonna go with yes here, but I >> didn't code that yet. > > In my view, the set-valued > > extAttr SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type}) > (or better, as in the original definition in 7030): > values SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type}) > > is not really needed because multiple attributes can be given anyway > using multiple attributes, and each of them may then have a different > type. > If multiple values are given as a set within a single attribute, all > its elements must have the same type. > So in practice I suppose that for all attributes the SETs given within > each of them usually will have just one value element. > >> >> 2) I think that extnID would be things like subjectAltName, >> i.e. OID: 2.5.29.17 > > Right. > >> >> But, if so, what is extType for this? > > The (ext)type is needed to provide the information, using > "extensionRequest", that an X.509 extension is being given in this > attribute. > > >> >> ASN1 that I have right now, where I've put subjectAltName in twice: >> >> obiwan-[projects/pandora/fountain](2.6.6) mcr 10396 %dumpasn1 >> tmp/csr_bulb1.der >> 0 84: SEQUENCE { >> 2 82: SEQUENCE { >> 4 3: OBJECT IDENTIFIER subjectAltName (2 5 29 17) <--- WHAT >> GOE, uS HERE? > Replace this by extensionRequest (1.2.840.113549.1.9.14) > >> >> 9 75: SET { >> 11 73: SEQUENCE { <--- SEQUENCE here might be undesired. > SEQUENCE here is fine, as demanded by the Extension structure. > >> 13 3: OBJECT IDENTIFIER subjectAltName (2 5 29 17) >> 18 3: [0] { > The "[0] {" (and the closing 2}") is likely superfluous/wrong here. > >> 20 1: BOOLEAN TRUE >> : } >> 23 61: SEQUENCE { >> 25 59: [0] { >> 27 57: UTF8String >> : 'rfc8994+fd739fc23c3440112233445500000000+@acp.ex' >> : 'ample.com' >> : } >> : } > This encoding of a SAN appears strange to me - which flavor of > GeneralName are you aiming at? > >> : } >> : } >> : } >> : } > > - David
- [lamps] strugling with CSRAttrs Michael Richardson
- Re: [lamps] strugling with CSRAttrs David von Oheimb
- Re: [lamps] strugling with CSRAttrs Michael Richardson
- Re: [lamps] struggling with CSRAttrs David von Oheimb
- Re: [lamps] struggling with CSRAttrs David von Oheimb
- Re: [lamps] struggling with CSRAttrs Corey Bonnell
- Re: [lamps] struggling with CSRAttrs Russ Housley
- Re: [lamps] struggling with CSRAttrs David von Oheimb
- Re: [lamps] struggling with CSRAttrs Michael Richardson
- Re: [lamps] struggling with CSRAttrs David von Oheimb
- Re: [lamps] struggling with CSRAttrs Corey Bonnell
- [lamps] Fixed the RFC 8994 / ACP Subject Alternat… David von Oheimb
- Re: [lamps] Fixed the RFC 8994 / ACP Subject Alte… Michael Richardson
- Re: [lamps] struggling with CSRAttrs Michael Richardson
- [lamps] examples in lamps-rfc7030-csrattrs Michael Richardson
- Re: [lamps] struggling with CSRAttrs Michael Richardson
- Re: [lamps] examples in lamps-rfc7030-csrattrs Corey Bonnell
- Re: [lamps] struggling with CSRAttrs Michael Richardson
- Re: [lamps] struggling with CSRAttrs Michael Richardson
- Re: [lamps] Fixed the RFC 8994 / ACP Subject Alte… Michael Richardson
- Re: [lamps] struggling with CSRAttrs Russ Housley
- Re: [lamps] Fixed the RFC 8994 / ACP Subject Alte… von Oheimb, David
- [lamps] IANA Considerations text for OID allocati… Michael Richardson
- Re: [lamps] IANA Considerations text for OID allo… Russ Housley
- Re: [lamps] IANA Considerations text for OID allo… Michael Richardson
- Re: [lamps] [EXTERNAL] Re: IANA Considerations te… Mike Ounsworth
- Re: [lamps] IANA Considerations text for OID allo… Tim Hollebeek
- Re: [lamps] Fixed the RFC 8994 / ACP Subject Alte… Esko Dijk
- Re: [lamps] Fixed the RFC 8994 / ACP Subject Alte… Michael Richardson
- Re: [lamps] Fixed the RFC 8994 / ACP Subject Alte… Esko Dijk
- Re: [lamps] examples in lamps-rfc7030-csrattrs Michael Richardson
- Re: [lamps] examples in lamps-rfc7030-csrattrs Corey Bonnell